Act now to avoid unnecessary exposure to information security risk

  Already have an ISMS? perhaps we can help you create a better one!

Transitioning your ISMS for the new edition of ISO/IEC 27001

With the publication of ISO/IEC 27002:2022, an amendment to ISO/IEC 27001 is expected soon, which will update the content of Annex A to align the controls with those in the new edition of ISO/IEC 27002. For continued conformity with ISO/IEC 27001, organisations will then be obliged to recompare their necessary controls with those in the new Annex A and amend their ISMS, including their Statements of Applicability (SOA) as appropriate. As this change impacts on conformity assessment, the IAFInternational Accreditation Forum will issue a transition statement at about the same time. It is anticipated that organisations will have two years to make the change.

Want to know more?

The new control set in ISO/IEC 27001 Annex A does not constitute a new set of control requirements. Nevertheless, changes will be required if, following recomparison, you discover any necessary control omissions, and need to justify any further Annex A exclusions.

The first step is to assess the impact of the changes on your ISMS. The most likely outcome is that your will need to rework your risk assessment and risk treatment processes, implement new controls and update your SOA.

When is the best time to do this?

The new edition of ISO/IEC 27001 is not expected until April-June 2022 and the transition period will not start until then. This implies that you have until mid-2024 to make any necessary changes. However, the risk is not a certification risk, it is an information security risk. If recomparison with the new control set discovers any omitted necessary controls, not implementing them now could mean that you are running unnecessary information security risks. ISO/IEC 27002 is available now, so you know what will be in the new Annex A. It is therefore prudent to carry out your impact assessment now.

What should I do now?

  • acquire a copy of ISO/IEC 27002:2022 and read the BSI White Paper;
  • compare your necessary controls with the ISO/IEC 27002:2022 controls;
  • determine if you have any missing necessary controls;
  • determine if any further justification is required for excluded Annex A controls;
  • hence assess the impact that the new ISO/IEC 27001 Annex A will have on your ISMS;
  • prioritise the changes based on your organisation's exposure to risk;
  • draw up plans for implementing any required changes; and
  • execute those plans according to your established priorities.

Book cover for An introduction to ISO/IEC 27001:2013 by David Brewer

How can IMS-Smart help?

As part of our provision of expert ISMS consultancy, IMS-Smart can:

  • guide you through the transition process;
  • help you to make a correct assessment of the changes required; and
  • assist you to assign priorites in accordance with your exposure to risk and business needs.

We have assisted many organisations to develop their ISMS and have provided training in the UK, Norway, Latvia, Germany, Switzerland, Saudi Arabia, Kuwait, Qatar, Mauritius, India, South Korea and Singapore.

How can I find out more and obtain a quotation?

Please use our enquiry facility or send us an email to start a conversation. We can continue by telephone or video conferencing. Once we understand your requirements, we will be pleased to prepare a quotation and submit it for your consideration. Hopefully, you will find that it is competitive, and offers quality and value for money.